It is always important to safeguard access to powerful AD groups, such as Domain admins, Enterprise admins etc. Tools like ActiveRoles Server can make that a breeze. ActiveRoles Server itself also have an almighty AD group, which gives members full access to everything within ActiveRoles, including the Active Directories it is managing! It is therefor vital that you safeguard this group and only add a bare minimum of users. It is also recommended that the group is given a non-related name, to protect it from intruders. However, by default, is possible to view the name of this group directly in the registry of the server running ActiveRoles. The group name is listed here: HKEY_LOCAL_MACHINE\SOFTWARE\Aelita\Enterprise Directory Manager\DSAdministrators.

The guide below will show you how to change this:

Open the ActiveRoles Server Console

Right click Configuration

Click Properties

Go to the Object tab

Click Advanced Properties

Set checkmark in ‘Show all possible attributes’ and ‘Include attributes with empty values’